Since then, BSIMM has continued to grow and develop from the original 9 companies to 128 participating companies in 2021, involving nearly 3,000 software security group members and more than 6,000 satellite (security champion) members.
The BSIMM report provides a unique perspective based on data collected from real-world observations. It provides CISOs and other security leaders with a model and framework to test, measure, and benchmark their own software security programs against, including key activities, practices, and tools to consider for implementation.
Unlike prescriptive models such as regulations, standards, or secure software development life cycle (SSDL) process models, BSIMM is a descriptive model. It uses a "just the facts" approach that focuses on documenting observations, rationalizing data from those observations, and creating a common language to describe and communicate the software security initiatives.
For companies, comparing the specific security activities in BSIMM against their own corresponding implementation status does not result in a good or bad judgement. Rather, the analysis can become the cornerstone of enterprise software security initiative improvement. BSIMM is the measuring stick for the security group, not a rulebook.
Most of the current cybersecurity issues in the automotive industry are related to vehicle networking and intelligence. In addition, the popularity of software-defined vehicle technology has made software security and the software development process in the automotive industry specifically important enough to be discussed as a distinct category. Although BSIMM focuses on software security, it has also been used by product manufacturers in high tech industries to measure product-related security activities rather than just software or application security.
BSIMM uses a framework of 12 software security practices organized under four domains—governance, intelligence, SSDL touchpoints, and deployment—currently encompassing 122 activities. BSIMM activities can be viewed as controls implemented in a software security risk management framework. The implemented activities might function as preventive, detective, corrective, or compensating controls in a software security initiative. Positioning the activities as controls allows for easier understanding of BSIMM’s value by governance, risk, and compliance teams, and by legal, audit, and other risk management groups.
Let’s take some specific security practices as examples to gain a better understanding of the value BSIMM offers the automotive industry, especially for building the software security system.